Module org.elasticsearch.security
Class OperatorPrivileges.DefaultOperatorPrivilegesService
java.lang.Object
org.elasticsearch.xpack.security.operator.OperatorPrivileges.DefaultOperatorPrivilegesService
- All Implemented Interfaces:
OperatorPrivileges.OperatorPrivilegesService
- Enclosing class:
OperatorPrivileges
public static final class OperatorPrivileges.DefaultOperatorPrivilegesService
extends Object
implements OperatorPrivileges.OperatorPrivilegesService
-
Constructor Summary
ConstructorsConstructorDescriptionDefaultOperatorPrivilegesService(XPackLicenseState licenseState, FileOperatorUsersStore fileOperatorUsersStore, OperatorOnlyRegistry operatorOnlyRegistry) -
Method Summary
Modifier and TypeMethodDescriptioncheck(Authentication authentication, String action, TransportRequest request, ThreadContext threadContext) Check whether the user is an operator and whether the request is an operator-only.booleancheckRest(RestHandler restHandler, RestRequest restRequest, RestChannel restChannel, ThreadContext threadContext) Checks to see if a givenRestHandleris subject to operator-only restrictions for the REST API.voidmaybeInterceptRequest(ThreadContext threadContext, TransportRequest request) When operator privileges are enabled, certain requests needs to be configured in a specific way so that they respect operator only settings.voidmaybeMarkOperatorUser(Authentication authentication, ThreadContext threadContext) Set a ThreadContext HeaderAuthenticationField.PRIVILEGE_CATEGORY_KEYif authentication is an operator user.
-
Constructor Details
-
DefaultOperatorPrivilegesService
public DefaultOperatorPrivilegesService(XPackLicenseState licenseState, FileOperatorUsersStore fileOperatorUsersStore, OperatorOnlyRegistry operatorOnlyRegistry)
-
-
Method Details
-
maybeMarkOperatorUser
Description copied from interface:OperatorPrivileges.OperatorPrivilegesServiceSet a ThreadContext HeaderAuthenticationField.PRIVILEGE_CATEGORY_KEYif authentication is an operator user.- Specified by:
maybeMarkOperatorUserin interfaceOperatorPrivileges.OperatorPrivilegesService
-
check
public ElasticsearchSecurityException check(Authentication authentication, String action, TransportRequest request, ThreadContext threadContext) Description copied from interface:OperatorPrivileges.OperatorPrivilegesServiceCheck whether the user is an operator and whether the request is an operator-only.- Specified by:
checkin interfaceOperatorPrivileges.OperatorPrivilegesService- Returns:
- An exception if user is an non-operator and the request is operator-only. Otherwise returns null.
-
checkRest
public boolean checkRest(RestHandler restHandler, RestRequest restRequest, RestChannel restChannel, ThreadContext threadContext) Description copied from interface:OperatorPrivileges.OperatorPrivilegesServiceChecks to see if a givenRestHandleris subject to operator-only restrictions for the REST API. Any REST API may be fully or partially restricted. A fully restricted REST API mandates that the implementation results in restChannel.sendResponse(...) and return afalseto prevent any further processing. A partially restricted REST API mandates that theRestRequestis marked as restricted and returntrue. No restrictions should also returntrue.- Specified by:
checkRestin interfaceOperatorPrivileges.OperatorPrivilegesService- Parameters:
restHandler- TheRestHandlerto check for any restrictionsrestRequest- TheRestRequestto check for any restrictions and mark any partially restricted REST API'srestChannel- TheRestChannelto enforce fully restricted REST API's- Returns:
trueif processing the request should continue,falseif processing the request should halt due to a fully restricted REST API
-
maybeInterceptRequest
Description copied from interface:OperatorPrivileges.OperatorPrivilegesServiceWhen operator privileges are enabled, certain requests needs to be configured in a specific way so that they respect operator only settings. For an example, the restore snapshot request should not restore operator only states from the snapshot. This method is where that requests are configured when necessary.- Specified by:
maybeInterceptRequestin interfaceOperatorPrivileges.OperatorPrivilegesService
-
getOperatorOnlyRegistry
-